Question:

I have private healthcare with Medibank and I was a victim of the recent cyberattack on their stored data.

In the past, I’ve had an abortion and I believe I’m one of the people who had their health data – including information about having an abortion – on the dark web.

I’m not ashamed of having had an abortion but at the same time this is my private health information and I’m horrified that it’s out there for people to see.

I feel violated and angry that this was able to happen. What next? These companies need to be held accountable. What can I do? – Anon, WA

Answer:

We are sorry to hear you are one of the millions of Medibank customers who have had their personal data stolen. You have every right to be concerned about the ramifications of this serious data breach.

The Medibank data breach didn’t just involve sensitive health care information being accessed, it also involved customers’ names, dates of birth, phone numbers, email addresses and some Medicare and passport numbers.

Some of this stolen data has already started to be posted on the dark web by a ransomware group which means the potential consequences for individuals affected could be significant.

You should not search for any information or data that may have been released on the dark web. Instead, contact Medibank directly for information about what data may have been compromised.

The stolen personal information could be used to create new accounts in your name, including credit cards, loans, and social media profiles.

You need to be highly alert to any signs that your data could be being used, for example, unexplained charges from bank accounts, or emails from unknown companies. It would be prudent to change all your online account passwords.

You can also contact the main credit reporting bodies and ask that they place a temporary ban on your information being accessed in a credit report, which will prevent fraudulent loan applications from being processed.

The Scamwatch website provides additional recommendations for protecting personal information following data breaches.

If you end up being a victim of identity fraud you can report this to the police.

You should also contact the relevant company where your personal data was used and ask that the account be cancelled.

If you are the victim of unauthorised bank transactions or loans, report this to your financial institution so they can investigate. It is likely they will reimburse you the lost funds.

Report any unusual activity to Report Cyber and ensure all your devices and accounts have the latest security updates, including multi-factor authentication.

IDCARE is a support centre that provides free assistance to victims of identity theft, such as helping to repair any damage caused to your reputation or credit history.

The burning question on everyone’s lips is whether companies like Medibank can be punished for these kinds of data breaches.

Companies that hold sensitive personal information are required to have safeguards in place to protect the information from unauthorised access.

There has been significant debate over many years about Australia’s privacy laws, and the Commonwealth Government has acknowledged that we need to better regulate how companies collect and manage our personal data.

The government has proposed changes that include increasing penalties for serious and repeated privacy breaches from $2.2 million to $50 million dollars or more.

The Attorney-General’s department is also completing a review of the Privacy Act and it is expected that further recommendations for changes in the law will result.

Whether or not Medibank (and other companies who have been hacked) will be found liable under the Privacy Act will depend on whether the breach was ‘serious’ or ‘repeated’, and whether they have taken ‘reasonable steps’ to protect the personal information.

This will involve a lengthy and complicated investigation into the cybersecurity systems they had in place, how their system was hacked and whether they could have prevented the attack.

It is not just Medibank’s conduct before the data breach that will be under scrutiny.

They also have obligations to ensure they report any breach in a timely manner, and they take reasonable steps after the breach to protect the personal information, such as patching up system issues.

In addition to any financial penalties on the company, affected customers like you could be successful in claiming money from Medibank for any financial losses caused by the breach.

For example, you may be able to claim the cost of things like seeing a counsellor to help manage the stress associated with the breach, or the installation of security cameras in your home to make you feel safer.

If you are unable to resolve your complaint with Medibank directly, you may wish to lodge a complaint with the Office of the Australian Information Commissioner.

More Coverage

‘I want a divorce but I’m worried I’ll be broke’

Alison Barrett and Jillian Barrett

Woman’s friend causes $10k damage to home

Alison Barrett and Jillian Barrett

This legal information is general in nature and should not be regarded as specific legal advice or relied upon. Persons requiring particular legal advice should consult a solicitor.

If you have a legal question you would like Alison and Jillian to answer, please email stories@news.com.au

Get more from Alison and Jillian on their Facebook page